<html>
<head>
  <title></title>
  <link rel="stylesheet" href="docs.css" type="text/css"/>
</head>
<body>
<h1 class="heading">Preventing SQL Injection</h1>

<h3 class="heading">Using ATextConverter::makeSQLSafe</h3>
To protect against SQL injection all user input should be filtered.<br />
<pre class="code">  
  AXmlElement& outputXml = context.useModel().addElement("myapp");
  AString userId;
  if (!context.useRequestParameterPairs().get(ASW("userid",6), userId))
  {
    // Handle the case when user provided value is missing
    // Usually adding XML element with error that will be handled by the view
    outputXml.addElement(ASW("error",5)).addElement(ASW("no-userid",9));
    return AOSContext::RETURN_OK;
  }

  AString query("select data from mytable where user_id=");
  <b>ATextConverter::makeSQLSafe(userId, query);            // Makes the user input SQL safe (to prevent SQL injection)</b>
  
  AString error;
  AResultSet result;
  size_t rows = context.useServices().useDatabaseConnectionPool().useDatabasePool().executeSQL(query, result, error);
  if (rows > 0 && error.isEmpty())
  {
    result.emitXml(outputXml);
  }
  else
  {
    context.addError(this->getClass(), error);
  }
  return AOSContext::RETURN_OK;
</pre>
<br />
</body>
</html>
